PLC Director - February 2005

01/01/2012

“IT Governance – how does an IT governance framework improve compliance, reduce risk and cut costs?”

 

                                                                                                                                   


If information is the lifeblood of the modern enterprise, information technology provides its circulatory and nervous systems. In our ruthlessly competitive business environment, information technology makes possible the move from a tangible, asset based valuation to an intangible, intellectual capital based one.  Information and IT provide competitive advantage, improve productivity, reduce costs, support communication and operational capability, and are essential for financial reporting.  This must put information and IT near the top of the board agenda.



Competitiveness


IT is not a low-cost, low-impact, static technology.  It is investment-intensive.  Innovation is common; speed of innovation and speed of deployment are, in a wired world, critical in developing, maintaining – or destroying - competitive advantage.  The pace of change is a stimulus to which organisations respond pro-actively or the value of their information assets and their competitive position are eroded. Of course, a business whose IT systems are inappropriate (ill-designed, outdated, misaligned or inadequate) for its business model and current strategy is already in serious trouble.



Governance


All this makes today’s governance environment even more complex: clearly, the value and importance of information assets are now such that the core governance principles - setting strategic aims; providing strategic leadership; overseeing and monitoring the performance of executive management; and reporting to shareholders on their stewardship of the organisation – must be seen to encompass information and IT. A culture of opaqueness around IT is out of line with today’s expectations for governance transparency.

The Turnbull guidance is explicit that “a company’s system of internal control …will include…information and communications processes”[1] and that “internal controls…should include all types of controls including those of an operational and compliance nature.”[2] 

There isn’t much wiggle room here.  If the organisation depends on information and/or information technology, boards need to formally consider their direct information risks (in the areas of compliance, information security, system development and deployment, etc) as well the data interdependence risks in their supply chains. “I don’t really understand IT” is as inadequate a defence as “I’m not that interested in technology”.



Compliance


 In addition to the Revised Combined Code, boards of UK listed companies will now be subject to the Companies Act 2004; may have to comply with Sarbanes Oxley (because of a US listing or pressure from US customers) and a host of other US legislation; and are likely to be trading internationally in a number of jurisdictions, each with its own set of copyright, data protection, privacy and computer misuse legislation.

However, statute and regulations overlap, are sometimes contradictory, and almost all lack implementation guidance or adequate precision. Any web presence brings with it another far-flung jumble of fast-changing regulation. Directors, though, are expected to be pro-active in identifying and taking necessary governance action. Compliance failures bring financial and reputational damage to companies and to individual directors.  



Information risk


While cyber war and cyber terrorism win CBI and newspaper headlines, neither is a real immediate threat.  100,000 viruses, “worms” and Trojan code in the “wild”, automated “hacking scripts”, combined with the wide range of vulnerabilities in most commercially available software, render many information systems unsafe. Spam, ‘phishing’, organised crime and espionage extend the list of significant external threats.

However, more information security incidents – fraud, sabotage, intellectual property theft, information leakage, error and straightforward incompetence - originate inside the organisation than outside it.  Incidents increase geometrically in number each year, as does their average direct value.   The indirect cost, primarily management and staff time, usually far exceeds the direct costs, and the reputational damage can be even more expensive.

Information security solutions, though, are often technology-driven barriers to effective, customer-responsive activity; their total cost of ownership often exceeds the total potential impact cost of the threat they control; the prioritisation of strategic information risk response is almost always out of line with strategic business needs; and there is almost never any meaningful, quantitative board level data about the effectiveness or ROI of the solutions deployed.



System deployment


Technology should be a business enabler, contributing to improved productivity, better customer service, better supply chain management, better cost control, better shareholder information, etc.  How many boards are able to quantify how their IT investments enabled them to improve their competitiveness?

The substantial investments that businesses make every year in new technology projects should be objectively related to their business strategy.  However, as much as 40% of new technology projects do not deliver their promised key benefits; even more are late, over budget, or both.  Every IT project exposes an organisation to significant financial, operational and competitive risk, yet few are subject to a formal process which reduces these risks. Not surprisingly, shareholders are increasingly questioning the effectiveness of IT project governance processes.



 IT governance


Risks – around compliance, to information assets and reputation, and in system design and deployment – are such that decision-making around them should clearly – but all too often doesn’t - take place within a coherent, transparent governance framework.  The failure of many IT projects to deliver the value expected of them, the daily frustrations experienced by users of IT systems, and the regular security breaches of IT systems worldwide are all symptoms of inadequate IT governance. 

IT governance is “a framework for the leadership, organisational structures and business processes, standards and compliance to these standards, which ensures that the organisation’s IT supports and enables the achievement of its strategies and objectives.”



IT governance framework

         

         

The board (operating through a robust IT steering committee, one or more independent members of which should have strategic technical expertise, recruited – if necessary – for this purpose, and working closely with the audit committee) needs to understand the information and IT requirements of its business strategy and the ways in which they drive the company’s value and value proposition. 

This committee should have oversight of all IT activity in the company (including systems architecture, project and process management methodologies, service level requirements, etc); should be responsible for approving, monitoring and reviewing all information related projects; should be accountable for the protection of all the company’s information assets; and should ensure that the whole board receives relevant, regular, quantitative reports on IT system performance, information security and return on IT investment.

Its responsibility should therefore include identification of all information and technology related risks, ensuring that the corporate risk management plan systematically includes these risks, and that effective controls and monitoring processes (including external review and audit) have been instituted.  It might also be appropriate to deploy a structured Information Security Management System (“ISMS”) which is capable of accreditation to BS 7799-2:2002/ISO 17799.

The board should also see a ‘de-conflicted’ legal matrix, by jurisdiction, for all its operations (including its web presence) and annually review legal changes. They should then ask how their automated compliance processes are adapted to enable the deployment of innovative, competitive technologies.



Benefits


An IT governance framework brings 5 benefits. Directors will know that:

1. the board’s legal and regulatory compliance requirements are adequately met;

2. information risks are systematically identified and controlled;

3. the IT systems infrastructure is adequate to and appropriate for the business model and business strategy;

4. technology projects are cost-effectively managed to deliver their required benefits; and

5. the total cost of IT activity is reducing.



More business bang for the IT buck is evidenced by recent external research showing that IT governance strategies help businesses generate IT investment returns up to 40% greater than their competitors. Among firms following similar business strategies, those with good IT governance structures average profits 20% better than their competitors.



[1] Turnbull Guidance: paragraph 21

[2] Turnbull Guidance: paragraph 28

PROTECT YOUR
BUSINESS
THIS WINTER